Merge pull request #5677 from freedomofpress/disable_v2_on_restore_on…

…_focal Disable v2 onion addresses on restore on Focal
freedomofpress · Feb 24, 2021 · f856c5b · f856c5b
2 parents d45857d + 8835810
commit f856c5b
Show file tree

Hide file tree

Showing 3 changed files with 135 additions and 1 deletion.
diff --git a/install_files/ansible-base/roles/restore/files/compare_torrc.py b/install_files/ansible-base/roles/restore/files/compare_torrc.py
@@ -49,6 +49,10 @@ def strset(s):
         print("The Tor configuration in the backup matches the server.")
         sys.exit(0)
 
+    if (3 in server_versions) and (3 in backup_versions):
+        print("V3 services detected in backup and server - proceeding with v3-only restore")
+        sys.exit(0)
+
     print(
         "The Tor configuration on the app server offers version {} services.".format(
             strset(server_versions)

diff --git a/install_files/ansible-base/roles/restore/files/disable_v2.py b/install_files/ansible-base/roles/restore/files/disable_v2.py
@@ -0,0 +1,89 @@
+#!/usr/bin/env python3
+# To execute on prod:
+# python3 disable_v2.py /etc/tor/torrc /etc/tor/torrc
+# To execute for testing locally:
+# python3 disable_v2.py /etc/tor/torrc /tmp/dumytorrc
+import sys
+
+
+def filter_v2(filename):
+    # Read the file
+    with open(filename) as f:
+        data = f.readlines()
+    # We will store the filtered lines to result
+    result = []
+
+    i = 0
+    while i < len(data):
+        line = data[i]
+        if line == "HiddenServiceDir /var/lib/tor/services/source\n":
+            i += 1
+            while data[i].strip() == "":
+                i += 1
+            line = data[i]
+            if line == "HiddenServiceVersion 2\n":
+                i += 1
+                line = data[i]
+                while data[i].strip() == "":
+                    i += 1
+                line = data[i]
+                if line == "HiddenServicePort 80 127.0.0.1:80\n":
+                    i += 1
+                    continue
+        # Now check for journalist
+        if line == "HiddenServiceDir /var/lib/tor/services/journalist\n":
+            i += 1
+            while data[i].strip() == "":
+                i += 1
+            line = data[i]
+            if line == "HiddenServiceVersion 2\n":
+                i += 1
+                line = data[i]
+                while data[i].strip() == "":
+                    i += 1
+                line = data[i]
+                if line == "HiddenServicePort 80 127.0.0.1:8080\n":
+                    i += 1
+                    line = data[i]
+                    while data[i].strip() == "":
+                        i += 1
+                    line = data[i]
+                    if line == "HiddenServiceAuthorizeClient stealth journalist\n":
+                        i += 1
+                        continue
+        # Now the v2 ssh access
+        if line == "HiddenServiceDir /var/lib/tor/services/ssh\n":
+            i += 1
+            while data[i].strip() == "":
+                i += 1
+            line = data[i]
+            if line == "HiddenServiceVersion 2\n":
+                i += 1
+                line = data[i]
+                while data[i].strip() == "":
+                    i += 1
+                line = data[i]
+                if line == "HiddenServicePort 22 127.0.0.1:22\n":
+                    i += 1
+                    line = data[i]
+                    while data[i].strip() == "":
+                        i += 1
+                    line = data[i]
+                    if line == "HiddenServiceAuthorizeClient stealth admin\n":
+                        i += 1
+                        continue
+
+        result.append(line)
+        i += 1
+
+    # Now return the result
+    return result
+
+
+if __name__ == "__main__":
+    filename = sys.argv[1]
+    outputfilename = sys.argv[2]
+    result = filter_v2(filename)
+    with open(outputfilename, "w") as fobj:
+        for line in result:
+            fobj.write(line)
diff --git a/install_files/ansible-base/roles/restore/tasks/main.yml b/install_files/ansible-base/roles/restore/tasks/main.yml
@@ -32,6 +32,7 @@
   connection: local
   become: no
   command: "python {{ role_path }}/files/compare_torrc.py {{ torrc_check_dir.path }}"
+  register: compare_result
 
 - name: Remove temporary directory for Tor configuration check
   connection: local
@@ -52,7 +53,17 @@
     dest: /
     remote_src: yes
     src: "/tmp/{{ restore_file}}"
-  when: restore_skip_tor is not defined
+  when: (restore_skip_tor is not defined) and
+        ("V3 services detected" not in compare_result.stdout)
+
+- name: Extract backup, using v3 services only
+  unarchive:
+    dest: /
+    remote_src: yes
+    src: "/tmp/{{ restore_file}}"
+    exclude: "var/lib/tor/services/source,var/lib/tor/services/journalist,var/lib/tor/services/ssh"
+  when: (restore_skip_tor is not defined) and
+        ("V3 services detected" in compare_result.stdout)
 
 - name: Extract backup, skipping tor service configuration
   unarchive:
@@ -73,6 +84,36 @@
     name: apache2
     state: reloaded
 
+- name: Copy disable_v2.py script for Focal
+  copy:
+    src: "{{ role_path }}/files/disable_v2.py"
+    dest: /opt/disable_v2.py
+  when: (ansible_distribution_release == 'focal') or
+        ("V3 services detected" in compare_result.stdout)
+
+- name: Execute disable_v2 script on Focal
+  command: python3 /opt/disable_v2.py /etc/tor/torrc /etc/tor/torrc
+  when: (ansible_distribution_release == 'focal') or
+        ("V3 services detected" in compare_result.stdout)
+
+- name: Remove v2 tor source directory
+  file:
+    state: absent
+    path: /var/lib/tor/services/source
+  when: ansible_distribution_release == 'focal'
+
+- name: Remove v2 tor journalist directory
+  file:
+    state: absent
+    path: /var/lib/tor/services/journalist
+  when: ansible_distribution_release == 'focal'
+
+- name: Remove disable_v2.py script on Focal
+  file:
+    state: absent
+    path: /opt/disable_v2.py
+  when: ansible_distribution_release == 'focal'
+
 - name: Reload Tor service
   service:
     name: tor